From 2d135fdb54630014d827319446b25eb17327e358 Mon Sep 17 00:00:00 2001
From: Maximilian Stiefel <stiefel.maximilian@online.de>
Date: Sat, 22 Aug 2020 19:51:07 +0200
Subject: [PATCH] Sanitized directory input string

---
 Dockerfile        |  6 +++---
 web/converter.php | 15 ++++++++++-----
 2 files changed, 13 insertions(+), 8 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index f287fa3..b7bbaad 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -24,7 +24,7 @@ RUN apt install unzip wget -y
 RUN mkdir -p /var/www/html/images && chmod -R 777 /var/www/html/images
 # Compile and install inkscape
 RUN cd /tmp \
-    && wget https://gitlab.com/inkscape/inkscape/-/archive/INKSCAPE_1_0/inkscape-INKSCAPE_1_0.zip
+    && wget https://gitlab.com/inkscape/inkscape/-/archive/INKSCAPE_1_0/inkscape-INKSCAPE_1_0.zip \
     && wget https://gitlab.com/inkscape/inkscape-ci-docker/-/raw/master/install_dependencies.sh
 RUN cd /tmp \
     && chmod +x install_dependencies.sh \
@@ -38,7 +38,7 @@ RUN cd /tmp \
     && make -j4 \
     && make install
 # Install rpl
-RUN apt install rpl
-RUN apt remove unzip wget
+RUN apt install rpl -y
+RUN apt remove unzip wget -y
 # Run apache
 CMD apachectl -D FOREGROUND
diff --git a/web/converter.php b/web/converter.php
index f48d79a..fd4b288 100755
--- a/web/converter.php
+++ b/web/converter.php
@@ -27,10 +27,14 @@
     $file_ext=strtolower(end(explode('.',$_FILES['image']['name'])));
     $extensions= array("svg");
     $upload_dir = "./images/";
-    $dir_name = $_POST['dir_name'];
-    $without_extension = pathinfo($file_name, PATHINFO_FILENAME);
+    $dir_str =     $without_extension = pathinfo($file_name, PATHINFO_FILENAME);
+    $dir_name = "";
 
-    echo "Desired directory name is: ".$dir_name."</br>";
+    if (preg_match("/^[a-zA-Z0-9_]*$/", $_POST['dir_name'])) {
+      $dir_name = $_POST['dir_name'];
+    } else {
+      $errors[] = "Error: For a directory name only alphanumeric characters and underscore are allowed.";
+    }
     if (strlen($dir_name) == 0) {
       $errors[] = "Error: Please enter directory name.";
     }
@@ -38,14 +42,15 @@
       $errors[]="Error: Extension not allowed, please choose a JPEG or PNG file.";
     }
     if(empty($errors)==true) {
+      echo "Desired directory name is: ".$dir_name."</br>";
       //$new_name = md5(time() . $file_name);
       unlink($upload_dir.$file_name);
       unlink($upload_dir.$without_extension.".pdf");
       unlink($upload_dir.$without_extension.".pdf_tex");
       if (move_uploaded_file($file_tmp, $upload_dir.$file_name)) {
         echo "Upload successful.</br>";
-        $current_dir = getcwd();
-        echo "Current directory is ".$current_dir."</br>";
+        //$current_dir = getcwd();
+        //echo "Current directory is ".$current_dir."</br>";
         $output = shell_exec("./svg-to-latex.sh ".$upload_dir.$file_name." ".$dir_name);
         echo "</p>";
         echo "Conversion results : </br>";